Generating Certification from different machine


#1

Hi

Will it be possible to generate certificates and keys for a particular domain from another system?

for example I’ve server running on Machine 1 but I want to generate the cert & key from machine 2.


#2

Yes, you can do so with manual mode.


#3

Thanks a lot Mr @Osiris for your reply.

I have tried generating the keys & certificates using the below command. But I’m getting error.

`vi at vi-Inspiron-7537 in /m/v/D/p/l/letsencrypt
:arrow_right_hook: ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly -d connectbeta.eko.co.in -v -a manual

`
But I am getting the below error.

Failed authorization procedure. connectbeta.eko.co.in (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://connectbeta.eko.co.in/.well-known/acme-challenge/lXXJyutXcHrPmrX3SvRVRq6jiRHqnVvc1RPZIeSXdwk [59.162.104.10]: 404

IMPORTANT NOTES:

  • The following ‘urn:acme:error:unauthorized’ errors were reported by
    the server:

    Domains: connectbeta.eko.co.in
    Error: The client lacks sufficient authorization


      EDIT: Why letsencrypt-auto trying on http It should hit on https.

Because on we are just redirecting to https version our website whenever someone try to hit the http.

Can you please tell me what mistake I am doing?


#5

You’re automatically redirecting to https. The http challenge needs to be conducted over http, not https. Turn off the https redirect and try again.


#6

Thanks @danb35

I will trying not redirecting the http to https.

But can you please tell me “Is it possible to do only for https not for http?”


#7

Hello @vivekkumar27june88,

The error is pretty clear.

Let’s Encrypt server can’t reach the challenge on your domain. In manual mode, letsencrypt client shows the name and the content of a challenge file that you should upload to your web server into the webrootofyoursite/.well-known/acme-challenge/ before to continue with the verification. Did you upload this challenge file to your server?. Also, if your server doesn’t use http because it has a permanent redirect (301) lets encrypt will take care, it should work fine in your situation because letsencrypt follow this redirect.

Cheers,
sahsanu


#8

Hello @danb35,

Letsencrypt boulder follows this kind of redirects, there is no need to drop the redirect from http to https.

Cheers,
sahsanu


#9

The log also says: “certificate verification failed”.

So… The question is. What kind of HTTPS site is running at the moment?

Ah, I see the problem: https://www.ssllabs.com/ssltest/analyze.html?d=connectbeta.eko.co.in&hideResults=on

SSL Report: connectbeta.eko.co.in (59.162.104.10)
Certificate name mismatch
connectalpha.eko.co.in

Your “beta” server is serving the certificate for “alpha”… That’s not gonna fly with Boulder.

BTW, as I’m seeing “beta” and “alpha”: you are aware of the rate limit of a maximum of 5 certificates per 7 days (sliding) window per domain? Above that and you’ll run into errors. You can test against the staging server.


#10

Thanks a lot for time and reply @sahsanu.

Can you please explain me about this well know challenge?


#11

In manual mode, in the middle of the process you are requested to upload a file with a specific content to your server, and you should upload it in a directory named ./well-known/acme-challenge/therandomchallengefile. So you should be able to access to http://connectbeta.eko.co.in/.well-known/acme-challenge/therandomchallenfile from internet.

Once you have uploaded that file to your server you can continue the process to validate that you own/control that domain.


#12

Hmmmm… I just read that message.


#13

Perhaps you’ve missed my post above, but your server is serving the wrong self-signed certificate. It serves the “connect alpha” certificate, not the “connect beta”. That’s why the client gives a certificate verification error and can’t verify the challenge.


#14

Thanks for the correction.


#15

Thanks all of your :smile:


#16

Hello @Osiris,

I’ve just tested it (using staging) with a site with permanent redirect from http to https, and the served certificate for this site is self-signed, also, it is not valid for the tested domain and I’ve received the same error but the certificate was created with success.

2015-12-16 14:34:33,295:ERROR:acme.challenges:Unable to reach http://lots.sahsanu.com/.well-known/acme-challenge/3xl2ZY-HE55XeIDnpna5hEedGi2Z7uq32L8_QlZUSMI: bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)
2015-12-16 14:34:33,295:WARNING:letsencrypt.plugins.manual:Self-verify of challenge failed.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/lots.sahsanu.com/fullchain.pem. Your cert
   will expire on 2016-03-15. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

So seems the certificate is created even with that error.

Cheers,
sahsanu


Urn:acme:error:unauthorized
#17

Well, that’s nice :stuck_out_tongue:

Errors, warnings, but still a succes :smiley:

What kind of requests can you find from Boulder in your Apache/Nginx access logs? Just curious :smile:


#18
lots.sahsanu.com:80 66.133.109.36 - - [16/Dec/2015:14:34:34 +0100] "GET /.well-known/acme-challenge/3xl2ZY-HE55XeIDnpna5hEedGi2Z7uq32L8_QlZUSMI HTTP/1.1" 301 680 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [16/Dec/2015:14:34:34 +0100] "GET /.well-known/acme-challenge/3xl2ZY-HE55XeIDnpna5hEedGi2Z7uq32L8_QlZUSMI HTTP/1.1" 200 2857 "http://lots.sahsanu.com/.well-known/acme-challenge/3xl2ZY-HE55XeIDnpna5hEedGi2Z7uq32L8_QlZUSMI" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

#19

So from the end-clients server part, everything goes OK, but Boulder tries to connect to port 80 (“http://”) with the TLS protocol and fails (duh)… Perhaps a bug in Boulder?


#20

I don’t really know why boulder shows a RED error message and then creates the certs, it should be just a warning instead of an error because it is really confusing.


#21

Is it possible to automatically renew a certificate generated like that ?
server2 generate the challenge response file, then copy it to server1 (which publish it to internet) after that server2 continue the process for validation and generation of certificate.
Yes, I want to automate the manual mode :relieved: